Yahoo hack analysis shows little evidence of foreign involvement

This site may earn affiliate commissions from the links on this page. Terms of use.

Last week, Yahoo owned up to the largest hack known to have occurred in computing history. Passwords, logins, and other account information on some 500 million people were stolen in the heist. At the time, Yahoo claimed that the hack was the work of state-sponsored actors — but independent analysts working on analyzing the hack have begun pushing back that assessment, while current and former Yahoo employees say security was a distant priority at Yahoo.

InfoArmor has published a timeline and history of the attack against Yahoo. The first offers to sell Yahoo-derived data appeared on April 3, 2016. According to InfoArmor’s analysis, the individuals attempting to sell the Yahoo data (and other major data sets for websites like Instagram, LinkedIn, Dropbox, MySpace, and Tumblr) are fronting the data sets for criminal groups, as opposed to acting directly on behalf of government agencies in foreign countries. It’s not always easy to tease these relationships apart, since criminal hackers sometimes sell data to nation-states, or could be hired to work directly on their behalf.

The graphic below shows the proposed relationships between a set of professional, Eastern European black hats in green, English-speaking threat actors (in red), and a potential group of state-sponsored actors who purchase data from the digital fences but weren’t directly involved in the hack itself (purple).

It’s generally considered difficult to prove that any single government was responsible for a hack. But these attacks tend to be extremely sophisticated, with carefully crafted malware that goes after specific targets. If conventional malware attacks are WW2-era carpet bombing, targeted, state-sponsored malware are modern, self-guided ‘smart’ weapons with precision strike capabilities and advanced munitions. The InfoArmor analysis also revealed the scope of what was taken from Yahoo: login ids, country codes, recovery emails, date-of-birth records, MD5 password hashes, cell phone numbers, and zip codes were all stolen.

Yahoo: Too terrified of losing users to protect them

An investigation by the New York Times doesn’t paint a flattering picture of Yahoo’s security infrastructure. While Yahoo created a dedicated security team after high-profile attacks took down other services, it rarely listened to its own experts, dubbed the “Paranoids” internally. Yahoo didn’t implement a bug bounty program until 2013, three years after Google debuted its own. In 2013, the Snowden leaks demonstrated Yahoo was a frequent target of hack attempts, but it took the company a full year to even hire a chief information security officer.

Yahoo’s security team pushed for end-to-end encryption for all Yahoo products. They were shut down by protests from the senior VP overseeing email and messaging services, Jeff Bonforte, who claimed end-to-end encryption would limit Yahoo’s ability to search and index email or offer new services to customers. When Yahoo’s new chief security officer went to bat for user privacy and security, he found little support from CEO Marissa Mayer. The Paranoids were starved for resources, and their suggestions for improving security through superior intrusion detection were denied as well, according to the report. Even a request to automatically reset passwords for all users in the wake of a major breach was denied.

Why? Money and reach. Mayer and other executives were concerned that any disruption to service — even something as simple as a password reset — could trigger more users to leave the company and seek service elsewhere. Yahoo notified its customers that a hack had occurred, but took no other action to protect its customers. Between the lack of evidence for state-sponsored activity, and growing awareness that the company’s lack of concern for security played a significant role in its own downfall, Yahoo is looking like a worse acquisition for Verizon all the time.

Yahoo management could have used the Snowden leaks to justify a new round of spending and consumer-centric, privacy-friendly changes. After all, it was thanks to Snowden that we found out Yahoo had challenged the government’s right to spy on its customers in multiple secret court battles. Yahoo could have built on that record and appealed to more customers in the process. Instead, it refused to implement best practices because it was afraid of losing market share at an even faster rate.

Tagged In

Why hasn’t anyone talked about the recent Blizzard hacked during a tournament or the Twitch hacked? Couldn’t they held just as accountable like Yahoo? I know what I saw when Blizzard was hacked. At 3:06 the game server stopped in a middle of the tournament match and their upcoming patch 3.6, “3” and “6”. It doesn’t feel coincidental either.

Joel Hruska

We don’t really report on dubious attempts to link numerology to Blizzard hacks. Or any hacks, for that matter. It’s not impossible that someone would time an attack this way, but it doesn’t really tell us anything (other than the person likes Blizzard games and felt like being cheeky).

Kary

I doubt there’s anything on a Yahoo server (or AOL server) that a government would have interest in. It would probably be a good place to hide things. ;-)

Amandaseyfried

Yahoo Inc. (also known simply as Yahoo!, styled as YAHOO!) is an American multinational technology company headquartered in Sunnyvale, California. Yahoo was founded by Jerry Yang and David Filo in January 1994 and was incorporated on March 2, 1995.[8][9] Yahoo was one of the pioneers of the early internet era in the 1990s.[10] Marissa Mayer, a former Google executive, serves as CEO and President of the company.[11]
It is globally known for its Web portal, search engine Yahoo! Search, and related services, including Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, online mapping, video sharing, fantasy sports, and its social media website. It is one of the most popular sites in the United States.[12] According to third-party web analytics providers, Alexa and SimilarWeb, Yahoo! is the highest-read news and media website, with over 7 billion views per month, being the fifth most visited website globally, as of September 2016.[7][13][14] According to news sources, roughly 700 million people visit Yahoo websites every month.[15][16] Yahoo itself claims it attracts “more than half a billion consumers every month in more than 30 languages”.http://www.mobiringtone.com/channel/16/bollywood-hindi-ringtones/

This site may earn affiliate commissions from the links on this page. Terms of use.

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.

Email

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our
Terms of Use and
Privacy Policy. You may unsubscribe from the newsletter at any time.